A important safety flaw impacting the ProjectSend open-source file-sharing utility has doubtless come beneath lively exploitation within the wild, in line with findings from VulnCheck.
The vulnerability, initially patched over a year-and-a-half in the past as a part of a commit pushed in Could 2023 , was not formally made accessible till August 2024 with the launch of model r1720. As of November 26, 2024, it has been assigned the CVE identifier CVE-2024-11680 (CVSS rating: 9.8).
Synacktiv, which reported the flaw to the undertaking maintainers in January 2023, described it as an improper authorization examine that permits an attacker to execute malicious code on prone servers.
“An improper authorization examine was recognized inside ProjectSend model r1605 that permits an attacker to carry out delicate actions similar to enabling person registration and auto validation, or including new entries within the whitelist of allowed extensions for uploaded recordsdata,” it stated in a report printed in July 2024.
“Finally, this permits to execute arbitrary PHP code on the server internet hosting the applying.”
VulnCheck stated it noticed unknown menace actors concentrating on public-facing ProjectSend servers being focused by leveraging exploit code launched by Undertaking Discovery and Rapid7. The exploitation makes an attempt are believed to have commenced in September 2024.
The assaults have additionally been discovered to allow the person registration function to achieve post-authentication privileges for follow-on exploitation, indicating that they aren’t confined to scanning for weak situations.
“We’re doubtless within the ‘attackers putting in net shells’ territory (technically, the vulnerability additionally permits the attacker to embed malicious JavaScript, too, which could possibly be an fascinating and completely different assault state of affairs),” VulnCheck’s Jacob Baines stated.
“If an attacker has uploaded an online shell, it may be present in a predictable location in add/recordsdata/ off of the webroot.”
An evaluation of internet-exposed ProjectSend servers has revealed {that a} mere 1% of them are utilizing the patched model (r1750), with all of the remaining situations operating both an unnamed launch or model r1605, which got here out in October 2022.
In mild of what seems to be widespread exploitation, customers are really helpful to use the newest patches as quickly as potential to mitigate the lively menace.
